When a hacker gets caught, it’s not only the digital mischief-maker who gets into hot water. Sometimes the company that got hacked has to pay the price as well.
Such is the case of Cox Communications, a cable, internet, and telephone provider whose system was hacked last August, exposing the personal information of an undisclosed number of customers. The company has agreed to pay a civil penalty of $595,000 to the Federal Communications Commission (FCC) for failing to report the security breach.
Personal info given to fake website
A hacker from the notorious Lizard Squad was able to access Cox customers’ personal information by contacting a third party contractor, posing as a representative from Cox. The hacker tricked the contractor into using her personal login on a fake site disguised as the Cox website. The same ploy was used on a Cox tech support staff member, giving hackers access to a wealth of customer personal information, including names, mailing and email addresses, security questions and answers, PIN numbers, and partial Social Security and driver’s license numbers.
The hacker proceeded to post personal information of eight customers on social media sites, and 28 customers had their passwords changed, locking them out of their accounts.
Cox did not inform the FCC
Said Travis LeBlanc, an enforcement officer with the FCC, “[t]his investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post our personal data on the web, and harass you through social media.”
Six days after Cox became aware of the breach, the company contacted the FBI, leading to the arrest of a suspect. However, Cox failed to fulfill its legal obligation to inform the FCC, as well as to inform the customers affected by the situation.
As recompense, Cox will pay a fine to the FCC, and will offer one free year of credit monitoring to the affected customers.
Cox’s goof is a reminder that companies need to do all they can to protect customers who trust them with their personal information.